Hi,

I know the issue means the client (or name of the client) is wrong, but I can't figure out why, and I attempt to create it using the commands, keytab looks fine, and I have another server working, but on a previous version. So I'm stuck...

Environnemet is an AD with a child domain, eg example.com and child.example.com. Servers are 1 ubuntu 14.04 (sssd 1.11.8-0ubunt) and 1 16.04 (sssd 1.13.4-1ubuntu1.7). I am trying to add them to child.example.com and login with my_user@example.com. It does work on 14.04, not on 16.04.

Join to the domain is achieved with adcli join child.example.com -U my_user@EXAMPLE.COM, which creates the keytab and the object in AD, and AFAIK this is good; I can see the objects in AD child.example.com, and the keytabs are generated with a bunch of principals. For every file or setup that I know of, both servers are identical (krb5.conf, sssd.conf, resolv.conf, hosts, ntp.conf, I followed most of https://help.ubuntu.com/lts/serverguide/sssd-ad.html).

I have tried to raise the log_level to 9 in [sssd] [domain/example.com] and [domain/child.example.com], but I have no message in krb5_child.log...

On the machine that works, I can login with my_user@example.com, on the other I get a client not found in kerberos database, backend offline.

On machine with offline backend I get :

(Tue Sep 12 14:04:00 2017) [sssd[be[example.com]]] [find_principal_in_keytab] (0x4000): Trying to find principal host/servernotok.child.example.com@CHILD.EXAMPLE.COM in keytab.

(Tue Sep 12 14:04:00 2017) [sssd[be[example.com]]] [match_principal] (0x1000): Principal matched to the sample (host/servernotok.child.example.com@CHILD.EXAMPLE.COM).

(Tue Sep 12 14:04:00 2017) [sssd[be[example.com]]] [select_principal_from_keytab] (0x0200): Selected primary: host/servernotok.child.example.com

(Tue Sep 12 14:04:00 2017) [sssd[be[example.com]]] [select_principal_from_keytab] (0x0200): Selected realm: CHILD.EXAMPLE.COM

(Tue Sep 12 14:04:00 2017) [sssd[be[example.com]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to host/servernotok.child.example.com

[...]

(Tue Sep 12 14:04:01 2017) [sssd[be[example.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Client not found in Kerberos database], expired on [0]

(Tue Sep 12 14:04:01 2017) [sssd[be[example.com]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address]

(Tue Sep 12 14:04:01 2017) [sssd[be[example.com]]] [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [1432158219](Authentication Failed)

(Tue Sep 12 14:04:01 2017) [sssd[be[example.com]]] [_be_fo_set_port_status] (0x8000): Setting status: PORT_NOT_WORKING. Called from: ../src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_recv: 2039

(Tue Sep 12 14:04:01 2017) [sssd[be[example.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'ad.example.com' as 'not working'

In AD child.example.com I do have an computer object entry with

servicePrincipalName RestrictedKrbHost/servernotok.child.example.com

servicePrincipalName RestrictedKrbHost/SERVERNOTOK

servicePrincipalName host/servernotok.child.example.com

servicePrincipalName host/SERVERNOTOK

sssd.conf looks like :

root@servernotok:/var/log/sssd# cat /etc/sssd/sssd.conf

[sssd]

config_file_version = 2

debug_level =9

domains = child.example.com,example.com

services = nss, pam

[domain/child.example.com]

enumerate = true

dns_discovery_domain = cy2._sites.child.example.com

debug_level = 9

id_provider = ad

access_provider = ad

ldap_id_mapping = false

[domain/example.com]

enumerate = true

dns_discovery_domain = cy2._sites.example.com

debug_level = 9

ldap_sasl_authid = host/servernotok.child.example.com@BRS666.BCRS.FR

id_provider = ad

access_provider = ad

ldap_id_mapping = false

I have tried to force the ldap_sasl_authidn without it it didn't find any match for servernotok@EXAMPLE.COM, and I did get the same client not found in kerberos error message.

So I am stuck here, I do not even know if the right behaviour is the one that works or not :-)

Thanks for your help,

Jeremy